On these pages you will find more information about StepStone. Dou you have additional questions about StepStone? Contact us at info@stepstone.nl

Privacy Statement

Thank you
for visiting our website. The protection and confidentiality of your personal
data is of particular importance for StepStone.

In this
document we will inform you about the processing of personal data in connection
with the services we offer at www.stepstone.nl and other websites or apps
(collectively referred to as “Platforms”) that incorporate this Privacy Statement. Personal data comprises all information that relates to an
identified or identifiable natural person (Article 4 (1) GDPR). This includes
information such as your name, e-mail address, postal address, or telephone
number. Information that is not directly associated with your identity, e.g.
the number of users of an Internet site, does not fall within this scope.

We provide you with a short version and a long version of our privacy statement. The short version gives you a quick overview of the essential aspects of data processing. The long version gives you a detailed insight.

Privacy Statement – Short Version

The data controller (hereinafter referred to as
“StepStone” or “we”) in the sense of the GDPR and other national data
protection laws of the member states as well as other data protection
regulations is:

StepStone NV/SA

Koningsstraat 47 Rue Royale

1000 Brussels

Tel: +32 2 209 98 00

E-mail: cs@stepstone.nl

2.Contact details of the data protection officer

You can reach our data protection officer under the following contact details: by e-mail at dataprotection@stepstone.nl

3.Purposes and legal basis of the data processing and period for which data will be stored

We process personal data for various purposes, which can be grouped together in a general way as follows:

The general use of our platforms and services, where we process data on the basis of a legitimate interest (pursuit of our business interests) or on the basis of your consent

the use of a job agent or a MyStepStone account, where we process data on the basis of a contract

Data processing about businesses and their employees we process data in the context of a legitimate interest or a contract or due to a legal obligation.

The personal data of the data subject are stored as long as the purpose exists. For more details, see the long version of the Privacy Policy.

4.Recipients or categories of recipients of personal data

We use data processors. These may therefore receive personal data, as described in detail in the long version of the Privacy Statement. Furthermore, we may also transmit or provide data to third parties within the scope of your consent or a contract with you, as described in particular in the long version, so that these can receive data as described there.

5.Transfer of data to countries outside the EU or the EEA

In certain cases, we transfer personal information to countries outside the EU or the EEA (so-called third countries). Essentially, this can be the case if you are applying for a job and the job provider is based in a third country. Furthermore, we use data processors or, within the scope of a legitimate interest, service providers that process data in some cases in third countries. More details can be found in the long version of the privacy statement.

6.Duration for which personal data is stored

Generally speaking, the personal data is stored as long as the purpose exists. The individual storage periods have been set out in the long version for the respective purpose of the processing.

7.Rights of the data subject

You have various rights related to the processing of personal data. You have (depending on the circumstances) the right to request access to the personal data (Article 15 GDPR), to rectification (Article 16 DGVO) or erasure (Article 17 GDPR), to restriction of processing (Article 18 GDPR), a right to object (Art. 21 DSGVO) and a right to data portability (Art. 20 DSGVO). If the processing is based on a consent, you can withdraw it at any time.
If you believe that the processing of your personal data is in violation of the GDPR, you have the right to complain to a supervisory authority.
Further information can be found in the long version of our privacy policy under “Rights of the data subject”.

8.Is there an obligation to provide personal information?

If you want to create a job agent or a MyStepStone account or if you would like to use our services as a business customer (you can find more details in the long version of the privacy statement), you have to provide certain data within the scope of the contract to be concluded. We will specify such data. In any other context, the provision of personal data is neither required by law nor by contract, nor are you required to provide personal information. However, the provision of personal data for the use of our services may also be partially required within the services we provide. In other words, if you do not provide us with the information we specify to be necessary, we may not be able to provide you with the full scope of services.

9.Amendment of the Privacy Statement; amendment of purpose

We reserve the right to change the privacy statement in accordance with the data protection regulations. The current version can be found here at this point or another place on our website or app that can easily be found. If we intend to process your data for other purposes than those for which it was collected, we will inform you in advance in accordance with the law.

Privacy Statement – Long Version

The data controller (hereinafter referred to as
“StepStone” or “we”) in the sense of the GDPR and other national data
protection laws of the member states as well as other data protection
regulations is:

StepStone NV/SA

Koningsstraat 47 Rue Royale

1000 Brussels

Tel: +32 2 209 98 00

E-mail: cs@stepstone.nl

2.Contact details of the data protection officer

You can contact our data protection by e-mail at dataprotection@stepstone.nl

3.Purposes and legal basis of the data processing and period for which
data will be stored

In the following we inform you about the
different purposes for which we process personal data, on which legal basis
such processing takes place, and for how long we store the data.

Insofar as we obtain the consent of the data
subject for processing personal data, Art. 6 (1) (a) EU General Data Protection
Regulation (GDPR) is the legal basis for the processing of personal data. If
the processing of personal data is necessary for the performance of a contract
to which the data subject is a party, Art. 6 (1) (b) GDPR will be the legal
basis. This also applies to processing operations required to carry out
pre-contractual actions. If processing of personal data is required to fulfill
a legal obligation that our company is subject to, Art. 6 (1) (c) GDPR is the
legal basis. If processing is necessary to safeguard the legitimate interests
of our company or a third party, and if the interests, fundamental rights, and
freedoms of the data subject do not prevail over the first interest, Art. 6 (1)
(f) GDPR is the legal basis for processing.

The personal data of the data subject will be
stored for as long as the purpose continues.

3.1 Data processing in the context of a general use of our Platforms and
services

3.1.1 General access to our Platforms

With each access to our Platforms, we
automatically collect data and information from the accessing device and store
this data and information in the log files of the server. We may collect (1) the
browser types and versions used, (2) the operating system used by the accessing
system, (3) the website from which an accessing system accesses our website
(known as referrers), (4) the sub-web pages that are accessed on our website
(5) the date and time of access to the website, (6) an Internet protocol
address (IP address), (7) the Internet service provider of the accessing system
and (8) other similar data and information used to defend any attacks against
our IT systems. For security purposes, i.e. to be able to reconstruct an
eventual attack against our Platforms, we store such data including the IP
address for 14 days and then anonymize or delete such data. The IP address is
required during the connection to transfer the contents of our Platform to your
device. The legal basis for the processing and storage of the IP address is a
legitimate interest as per Article 6 (1) (f) GDPR. The legitimate interest for
the transmission of the IP address is that it is required to display the
contents of the website; without transmission of the IP address it is not
possible to display the content of the Platform. The legitimate interest for
the temporary storage are our security interests.

We may also store information about your usage
patterns on our Platforms in order to create statistical models to make our
Platforms more user-friendly and, in particular, to optimize the
functionalities to search for and recommend suitable job advertisements. In
this context we also save your IP address in a pseudonymized form (that means
that a natural person can no longer be identified based purely on the
information in the statistical model) to exclude automated accesses (bots) to
our Platforms when creating the statistical models. Legal basis for this
purpose is Art. 6 (1) GDPR. Our legitimate interest is to ensure the
functionality of the statistical model to improve our services. The IP address
is deleted after one year.

3.1.3 Application form

If we provide an application form on our
Platforms for job advertisements that are posted on our Platforms, and you
complete this without being logged in to a MyStepStone account (see clause 3.2.2 below) and click the button to
submit the application, we will submit the information you provide in the
application form to the provider who posted the advertisement on our Platform.
The legal basis here is your consent in accordance with Art. 6 (1) sentence 1
GDPR. Please note that the respective recruiter might not be based in the EU or the EEA so it may be necessary under this contract to transfer the data to a country or that your application will be accessed from a country which has a lower level of protection under data protection law than in the EU or the EEA. Please note that in the case of an application where the recruiter is not revealed, there is usually no right be informed about the recipient, since this would adversely affect the confidentiality interests of the recruiter.

3.1.4 Newsletter

If you register for a newsletter, we use your
e-mail address to send you the respective newsletter, in which we regularly
inform you about interesting topics. To ensure that you are properly registered
for the newsletter, that is, to prevent unauthorized subscriptions on behalf of
third parties, we will use a double-opt-in process and send you a confirmation
e-mail after your first newsletter subscription; this e-mail will request you
to confirm the subscription. The legal basis here is your consent in accordance
with Art. 6 (1) sentence 1 a GDPR. In connection with your newsletter
registration, we also store your IP address plus the date and time of
registration and confirmation, so that we can trace and prove the registration
at a later date. The legal basis for this storage is a legitimate interest
within the meaning of Art. 6 (1) (f) GDPR, where the legitimate interest is in
being able to prove the registration. We will store your email address for sending
you the newsletter until you unsubscribe or we stop sending the newsletter to
you.

Additionally we may send emails about StepStone services that are similar to those you already use. Legal basis is a legitimate interest as per Art. 6 (1) sentence 1 f GDPR, namely the pursuit of our business interests.

The newsletters contain what are known as
tracking pixels tor the statistical evaluation of our newsletter campaigns.
This is a miniature graphic embedded in HTML-formatted e-mails that lets us
know if and when you opened an e-mail and which links in the e-mail were
accessed. In this context your IP address will be transmitted to our servers,
but we will not store the IP address or any other personal data. The legal basis
for the use of these tracking pixels is a legitimate interest within the
meaning of Art. 6 (1) (f) GDPR, where the legitimate interest is in being able
to evaluate and optimize our newsletters.

You may object to all
types of StepStone newsletters at any time.

3.1.5 Objections to marketing

If you raise an objection with us against
marketing purposes, we may put your personal contact information (name,
address, telephone number, fax number, e-mail address) on a blacklist to ensure
that we no longer send you any unwanted marketing material. The legal basis is
a legitimate interest within the meaning of Art. 6 (1) (f) GDPR, where the
legitimate interest is that we can meet our obligations from your objection
against marketing. The data will be stored for this purpose until you expressly
withdraw the objection to marketing in writing.

3.1.6 Contact form and e-mail contact

Our Platforms provide contact forms that can be
used to contact us electronically. By clicking the “Send” button, you consent
to the transmission to us of the data entered in the input form. In addition,
we save the date and time of your contact. Alternatively, contact via the
e-mail address provided is possible. In this case, the user’s personal data
transmitted along with e-mail and our response will be stored. The personal
data voluntarily transmitted to us in this context is used to process your
inquiry and to contact you as needed. The legal basis for the transmission of
the data is Art. 6 (1) (a) GDPR. The data will be used for this purpose until the
specific conversation with you has ended. The conversation will be deemed ended
when it can be inferred from the circumstances that the relevant facts have
been conclusively clarified.

3.1.7 StepStone surveys

StepStone organizes market surveys from time to
time. As part of such surveys we will not collect any personal data, but at the
end of the survey we might offer you the opportunity to participate in a
competition. In order to participate in the competition you will have to
provide us with your e-mail address, which we will only use for the purpose of
the competition to notify you if you have won a prize. In particular, the
e-mail address will be stored completely separately from your answers to the
survey. The legal basis for the storage of your email address is your consent
under Art. 6 (1) (a) GDPR. We will store your email address for this purpose
until the end of the respective competition.

3.1.8 StepStone salary planner

StepStone offers a salary planner. StepStone’s
salary planner compares the salary-related details provided by users about the
user's current job position, salary, professional experience, education, age
and gender with the same data of other users in an aggregated statistical
database and analyzes this comparison in order to present a salary comparison
for the user. After entering the above information and an e-mail address,
StepStone will send the user an access link to the salary comparison after
confirmation via double-opt-in email. The legal basis for this processing is
your consent. Consent is deemed given when you click the respective button to
receive the StepStone salary planner. We will store the salary planner we
created for you for a period of five years.

We can only provide you with the salary planner
if we can statistically analyze all salary related details from all users.
Thus, we will also collect the data provided by you under point 3 a to produce
the salary comparison under clause 3 a in a statistical database. We will not
store any personal data about you that could be linked directly to you. In
particular, we will not store your email address in this database. The legal
basis for this processing is a legitimate interest of StepStone to provide the
salary planner and there is no reason why any of your interests or fundamental rights
and freedoms which require protection of personal data override our interest.

3.1.9 Use of data processors for hosting and securing our platforms,
administrative, troubleshooting, and support services

We use data processors, which we list below, to
provide our services. The legal basis for using these data processors is
legitimate interest under Art. 6 (1) (f) GDPR. The legitimate interest lies in
the execution of our business activities, particularly to provide the services
described elsewhere in this Privacy Statement. No conflicting interest is
apparent because we have entered into a data processing agreement with the
respective processors under Art. 28 GDPR.

3.1.9.1 Hosting

We use data processors to host our Platforms
and for back-up services, meaning that personal data that is stored on our
platforms is transferred to these data processors. These data processors are
Amazon Webservices, Inc., 410 Terry Drive Ave North, WA 98109-5210 Seattle, USA
(who processes data solely in the EU), StepStone GmbH, Axel-Springer-Str. 65,
10969 Berlin, Germany and StepStone Continental Europe GmbH, Völklinger Straße
1, 40219 Düsseldorf, Germany. These data processors will store the data for the
same duration as it is stored on our Platforms for the various purposes defined
in this Privacy Statement.

3.1.9.2 Administrative, troubleshooting, and support services

We use StepStone Services sp. z o.o., ul.
Domaniewska 50, 02-672 Warsaw, Poland, for administrative, troubleshooting, and
support services, and which may consequently also have access to your personal
data. Generally StepStone Services sp. z o.o should not store any personal
data. This will only be done in exceptional cases, e.g. if needed to rectify
technical issues. In such cases personal data will only be stored to the extent
and for the duration that is necessary.

3.1.9.3 Sending of e-mails and other messages

For the sending of e-mails and messages through
other electronic channels we use the services of Selligent GmbH, Atelierstraße
12, 81671 Munich, Germany, as a data processor, who in turn uses the following
subcontractors

Accordingly, these parties may also be provided
with your personal data in the course of data processing commissioned by us. It
will be stored there for a period that is otherwise lawful for purposes under
this Privacy Statement, i.e. in particular for the contractual
communications in the course of contracts with you or otherwise for promotional
communications.

The use of Selligent, Inc. is permitted under Art. 45 GDPR, as they are Privacy Shield certified and thus, according to the Implementing Decision of the Commission (EU) 2016/1250 (http://eur-lex.europa.eu/legal-content / DE / TXT / HTML /? Uri = CELEX: 32016D1250 & from = DE), an adequate level of data protection exists. The certification can be viewed at https://www.privacyshield.gov/participant?id=a2zt0000000PBKYAA4&status=Active.

The legal basis for our use of Selligent is a
legitimate interest under Art. 6 (1) sentence 1 f GDPR, namely the execution of
our business purposes in the course of the processes described elsewhere in
this Privacy Statement. No conflicting interest is apparent in this
respect, in particular due to the fact that we have entered into a data
processing agreement with Selligent.

3.1.9.4 Proxy caching and web application firewall

We use Akamai Technologies GmbH, Parkring
20-22, 85748 Garching, Germany and Akamai Technologies, Inc., 150 Broadway,
Cambridge, 02142 MA, USA as data processors for the purposes of proxy caching
and web application firewall services. That means that any visit to our
websites is routed through the servers of Akamai, meaning that the user will
not be connected directly to our servers but to those of Akamai and Akamai will
then request the content from our servers and will deliver it to the user.
Proxy caching in this context means that Akamai will cache selected content
(but not personal data) for a period of 24 hours, so that this can be delivered
faster to you. The web application firewall means that Akamai will try to
identify malicious web traffic and will prevent it from accessing our websites.
Akamai does not store any personal data, but any dataflows between our servers
and the user will be routed through Akamai, so that this can also include
personal data. Data transferred to Akamai Technologies, Inc is transferred
outside the EU and the EEA. This is permissible under Art. 45 GDPR because
Akamai Technologies, Inc is Privacy Shield certified and thus an adequate level
of protection exists according to the Implementing Decision of the Commission
(EU) 2016/1250
(http://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016D1250&from=DE).
The certification can be viewed at
https://www.privacyshield.gov/participant?id=a2zt0000000Gn4RAAS&status=Active.

With respect to Akamai, the additional
legitimate interest in the context of the legal basis is that we thereby are
also implementing technical and organizational measures to protect our
Platforms and the personal data stored on them.

3.1.10 Google Re-Captcha

In specific cases we use the reCAPTCHA service
https://www.google.com/recaptcha/intro/ by Google Inc., 1600 Amphitheater
Parkway, Mountain View, CA 94043, USA, (“Google”) based on a legitimate
interest (i.e. the interest to ensure the correctness of data, avoidance of
automatic registrations / orders by so-called bots, and economical operation of
our online offering within the meaning of Art. 6 (1) f) GDPR).

Google is certified under the Privacy Shield
Agreement and thus warrants that it complies with European privacy legislation
(https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

We use re-Captcha to distinguish whether an
input is made by a human or abusively by automated, mechanical processing. The
query in this context includes the sending of the IP address and any other data
required by Google for the reCAPTCHA service to Google. Your input will be
transmitted to Google and analyzed for this purpose.

For more information about Google reCAPTCHA and
Google’s Privacy Statement, please visit the following links:
https://www.google.com/intl/en/policies/privacy/ and
https://www.google.com/recaptcha/intro/android. html.

3.1.11 Cookies and similar technology

We use cookies on our websites. Cookies are
text files that are stored on a computer system via an Internet browser. We use
such cookies both as a technical means of providing services on our Platforms
as well as for analyzing the website behavior of our visitors and on that basis
developing a more user-friendly design of our offerings. For this purpose, we
may also use other techniques, such as tracking pixels or code in apps. In
addition, we may use these cookies or other techniques to target you with
interesting job advertisements and other content. For the sake of clarity, we
have moved the information on cookies and similar techniques in section 4 of this Privacy Statement. More details
can be found there.

3.1.12 Cookies and similar technology

For some of the job ads on our Platforms Network eG, Völklinger Str. 1, 40219 Düsseldorf, Germany, http://www.the-network.com/legal-information acts as intermediator. That means that some of the job ads published on our Platforms may contain

a counting pixel from the Network eG, and/or

or a redirection to the recruiter’s application site through a link of Network eG and/or

a link to an application form operated by Network eG

Network eG is an international sales alliance. It acts as intermediary between us and job boards from various other countries and enables the customers from these other job boards to publish their job ads on our Platforms.The above mentioned cases are part of the intermediation services provided by Network eG. In case of a link to an application form there will be a detailed privacy policy from the Network in such form, so that we do not go into details here.The purpose of the counting pixel is to count the number of visitors to the respective job ad in order to inform the customers how often the job ad was visited. The purpose of the redirection is to count how often the application button in the job ad was clicked. In these cases your IP address will be transmitted to Network eG but it will not be stored.Network eG may use technical service providers for hosting and administrative purposes, which are Amazon Webservices, Inc., 410 Terry Drive Ave North, WA 98109-5210 Seattle, USA (who processes data solely in the EU), StepStone GmbH, Axel-Springer-Str. 65, 10969 Berlin, Germany, StepStone Continental Europe GmbH, Völklinger Straße 1, 40219 Düsseldorf, Germany, Online Recruitment Network BVBA, StepStone N.V., Koningsstraat 47 Rue Royale, 1000 Brussels, Belgium and StepStone N.V., Koningsstraat 47 Rue Royale, 1000 Brussels, Belgium and for the purpose of web application firewall services Network may use Akamai Technologies GmbH, Parkring 20-22, 85748 Garching and Germany Akamai Technologies, Inc., 150 Broadway, Cambridge, 02142 MA, USA as data processors, i.e. Akamai will try to identify malicious web traffic and will prevent it from accessing Network’s services. Akamai does not store any personal data, but any dataflows between Network’s servers and you will be routed through Akamai, so that this can also include personal data. Akamai Technologies, Inc is Privacy Shield certified and thus an adequate level of protection exists according to the Implementing Decision of the Commission (EU) 2016/1250 (http://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016D1250&from=DE). The certification can be viewed at https://www.privacyshield.gov/participant?id=a2zt0000000Gn4RAAS&status=Active.You are in no case legally, contractually or otherwise required or obliged to provide personal data in the context of the counting pixel or the redirection. No personal data will be stored as part of the counting pixel or the redirection. Network eG will only count the number of visitors on a purely anonymous basis. Since no personal data is stored, no right exists to request access to, rectification of, restriction of the processing of or data portability of personal data. You have the right to object to the aforementioned processing of your IP address, on grounds relating to your particular situation. In such case please contact Network eG directly. Notwithstanding any other administrative or judicial legal remedy, you have the right to lodge a complaint with a supervisory authority in the Member State of your place of residence, your workplace, or the place of the alleged breach if you are of the opinion that the counting pixel and/or the redirection breaches GDPR. The supervisory body to which the complaint was submitted will notify the complainant of the status and outcomes of the complaint including the option of a judicial remedy under Art. 78 GDPR.The legal basis is a legitimate interest of Network EG under Art. 6 (1) sentence 1 f GDPR, namely that the Network can inform it’s customers of clicks on the apply button and/or the visitors to the job ads intermediated by Network eG. Since no personal data will be stored and in most cases the IP address does not directly relate to a natural person anyway, the Network eG’s interest is not overridden by your interest.

3.1.13 Youtube videos

In the context of a legitimate interest according to Art. 6 para. 1 p. 1 GDPR, namely an attractive design of our websites, we use the YouTube for the integration of videos. YouTube is operated by YouTube LLC, headquartered at 901 Cherry Avenue, San Bruno, CA 94066, USA. YouTube is represented by Google Inc., located at 1600 Amphitheater Parkway, Mountain View, CA 94043, USA.

On some of our websites we use plugins from YouTube. If you access our websites with such a plug-in – for example a media library – a connection to the YouTube servers will be established and the plugin will be displayed. It will then be communicated to the YouTube server which of our websites you have visited. If you are logged in as a member of YouTube, YouTube can assign this information to your personal user account. When using the plugin, e.g. by clicking on the start button of a video, Youtube can also assign this information to your user account. You can prevent this by logging out of your YouTube user account and other user accounts of the YouTube LLC and Google Inc. before using our website and deleting the corresponding cookies from the companies.
As a Google subsidiary, Youtube is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European privacy legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).For more information on data processing and tips for data protection by YouTube (Google), see www.google.de/intl/de/policies/privacy/.

StepStone offers a variety of services for your
career development. StepStone aims to support you at all stages of your
professional life. In particular, you can subscribe to a Job Agent and can
create a MyStepStone account in which we process personal data. In this section
3.2, we inform you about the purpose,
the respective legal basis as well as the storage duration of these processing
operations.

First we offer you the opportunity to enter
into a contract to receive a Job Agent. The purpose of data processing in the
context of a Job Agent is for us to send you regular e-mails about job
vacancies that correspond to a predefined profile or are recommended to you
based on your user behavior. Details of the Job Agent can be found in our Terms
of Use. The legal basis is Art. 6 (1) (b) GDPR. We store the data under a
contract for the use of the Job Agent for the duration of the contractual term,
i.e. until you or we terminate your Job Agent.

Secondly we offer you the opportunity to enter
into a contract for a MyStepStone account, where you can use additional
functions and correspondingly define the scope of the contractual use. The
purposes of the data processing under this contract are that:

-We will submit an application to a recruiter via your MyStepStone account when you complete our application form and click the button to submit the application. The legal basis is your contract with us as per to Art. 6 para. 1 p. 1 b GDPR. Please note that the respective recruiter might not be based in the EU or the EEA so it may be necessary under this contract to transfer the data to a country or that your application will be accessed from a country which has a lower level of protection under data protection law than in the EU or the EEA. Please note that in the case of an application where the recruiter is not revealed, there is usually no right be informed about the recipient, since this would adversely affect the confidentiality interests of the recruiter.

-We
store the applications you make through our Platforms in your MyStepStone
account for you until you delete a stored application.

-You
can create a profile under the contract for your MyStepStone account. Which
personal data is transmitted to us in this context depends on your uploads or
your input into the relevant fields. We will analyze the content and structure
of any uploaded documents in an automated process in order to improve the
services we provide to you. You can define the scope of the contractual use of
this profile. You can either use it to apply to vacant positions only
(including applications to box number advertisements), see below; or you can
make the profile accessible partially or fully to potential employers who are
StepStone customers and use the StepStone CV database or similar products. In
the context of profiles made fully available, we may also use your profile data
to find publicly available, business-related social media profiles and link
these to your profile. Your profile will be stored until you delete it or the
contract for your MyStepStone account is terminated. Please be informed that,
as far as you make your profile accessible to recruiters, a recruiter could
also be located outside of the EU/EEA. That means that as part of the contract
between you and us, it might be necessary, that your profile is accessed from a
country that does not have the same level of data protection as the EU or EEA.

-If
you have created a profile and access a job application form made available on
our Platforms for job advertisements published on our Platforms, we will use
your profile data to complete this form and, when you click the button to
submit the application, we will send the data recorded with the form and make
your profile accessible to the recruiter who published the respective job
advertisement with us. Again, Please be informed that the respective recruiter
might not be located in the EU or EEA, so that as part of the contract between
you and us, it might be necessary, that the data is transmitted to or accessed
from a country that does not have the same level of data protection as the EU
or EEA.

Further details about the MyStepStone account
can be found in our Terms of Use. In connection with the registration of a
MyStepStone account and the setting of the various functions, we will also
store your respective IP address and the date and time of registration or
setting of functions. The legal basis for the storage and use of your personal
data in connection with your MyStepStone account is Art. 6 (1) (b) GDPR.

We store your personal data for as long as
necessary to provide the contractually agreed service. The personal data stored
by you in your “MyStepStone” account is available to you for the duration of
the contract and will be stored by us for this period. The personal data will
be erased if you do so in relation to individual data or ask us to do so or if
the contract ends, that is, if you or we terminate the contract, further
details are available in the terms of use.

Additionally, we use information provided by
you as part of a profile in order to optimize the job search and job
recommendations for you and other users of our Platforms using the statistical
model described in clause 3.1.2 In this context we store certain
parts of your profile which by themselves or in combination with each other
cannot be used to identify you along with a pseudonymized user ID in the
statistical model. Based solely on this pseudonymized ID you are not
identifiable from within the statistical model: an identification would
theoretically only be possible by externally pseudonymizing the user ID
assigned to your MyStepStone account and then comparing the outcome with all
pseudonymized user IDs stored in the statistical model. If we optimize the job
search and the job recommendations for you with the statistical model, this is
done in the context of your contract via the MyStepStone account on the legal
basis of Art. 6 (1) (b) GDPR. If we use the data to generally improve our
statistical model and thus also services for other users, this is done on the
basis of a legitimate interest under Art. 6 (1) (f) GDPR. By deleting your
MyStepStone account, your data will be completely anonymized in the statistical
model, as the pseudonymized user ID stored in it will no longer allow any
reference to your MyStepStone account. Our legitimate interest is in pursuing
our business interests to improve our services. No conflicting interest is
apparent, since the data is required during the contract period for achieving
the purpose of the contract for the MyStepStone account and identification is
no longer possible after the end of the contract.

3.2.3 Facebook Connect

With Facebook Connect, you can use your
Facebook account to open a new MyStepStone account at StepStone or to connect
to a MyStepStone account. If you create a MyStepStone account via Facebook or
log in to an existing MyStepStone account via Facebook, we will gain access to
your public
profile and your e-mail address.

We use this information to pre-populate or
update your MyStepStone account at StepStone and then provide you with the
MyStepStone account in accordance with clause 3.2.2.

Since we use your Facebook data to create a
MyStepStone account, the legal basis is the contract for the MyStepStone
account pursuant to Art. 6 (1) (b) GDPR, as in described in clause 3.2.2. We will store your personal data
for the purposes and period described in point 3.2.2.

Our services for recruiters aim to provide
businesses with a wide selection of suitable candidates. In doing so, we
process personal data of businesses (data relating to businesses is only
personal data if the business is operated by one or more natural person/s) or
employees of such businesses. The respective businesses may be in a contractual
or pre-contractual relationship with us, but in some cases we may also process
data about businesses and their employees if there is no such pre-contractual
relationship. In this section 3.3 we inform you about the purpose, the
respective legal basis as well as the retention period of such processing about
businesses or their employees as well as the data categories, provided we do
not collect the personal data from the data subject. The data will be deleted
as soon as it is no longer necessary for the achievement of the purpose, that
is, no contract with the customer exists and we no longer intend to enter into
a contract with the respective customer and a legitimate interest no longer
exists and, moreover, we are no longer obliged to keep records that may contain
personal data.

We process personal data for the purpose of
contract management, that is, so that we can provide our customers with the
contractual services and also for associated pre-contractual purposes. If the
customer is a natural person, the legal basis is that the processing is
required for the performance of a contract or for the performance of
pre-contractual measures pursuant to Art. 6 (1) sentence 1 b GDPR. If we
process personal data of employees of the customer, the legal basis is a
legitimate interest pursuant to Art. 6 (1) sentence 1 f GDPR. The legitimate
interest lies in the conduct of our business and that of the customer. There is
no conflicting interest of the data subject because, from the point of view of
our customer, we are required to perform the processing in the context of the
existing employment relationship with the data subject (section 26 GDPR). We store personal data for this purpose
for the term of the contract.

Furthermore we store accounting records in
order to comply with statutory retention periods under Art. 6 of the law of the
17 Juli 1975 regarding the accounting of enterprises and Art. 9 of the Royal
Decree of 12 September 1983 executing the law of 17 Juli 1975 regarding the
accounting of enterprises for the duration of seven years, whereby the term
begins on the 1st January of the year following the finalization of
the accounting book. Legal basis for this purpose is Art. 6 Abs. 1 lit. c GDPR.

3.3.2 Customer services

We process the personal data of a business or
its employees (as a contact person) obtained in connection with a contract with
or a request from a prospective customer, including after the end of the
contract and, if no contract is entered into, for the purpose of customer
services and particularly, in case of a new request of the customer or
prospective customer, to be able to recommend suitable services on the basis of
the previous contracts or inquiries. The legal basis is a legitimate interest
under Art. 6 (1) sentence 1 f GDPR. The legitimate interest lies in the
execution of our business activities. We store personal data for this purpose
for as long as we believe the respective customer might enter into an initial
or further contract with us in future, which is the case as long as the
customer does not specifically inform us that he or she does not intend to
enter into any contract with us under any circumstances.

3.3.3StepStone Recruiter Space

In order to use and manage their contractual
services, our customers or their employees can use the StepStone Recruiter
Space. In this context, we process such personal data of the respective
customer or its employees as was provided by them, as well as the respective
contractually agreed or offered services and the manner in which they are
utilized. When using our Direct Search Database we also collect and save when
which CVs were accessed. In order to prevent abuse and thereby guarantee proper
billing and to ensure and verify that the StepStone Recruiter Space and the
contractual services are functioning correctly at all times, and in particular
to allow our customer service team to solve problems that may arise for
specific customers, we will, upon every use of the StepStone Recruiter space,
additionally collect and store the Corporate User ID (i.e. the user’s username)
and the Company ID (i.e. the name of this customer based on the specific user's
affiliation with a specific StepStone customer).

If the customer is a natural person, the legal
basis is that the processing is required for the performance of a contract or
for the performance of pre-contractual measures pursuant to Art. 6 (1) sentence
1 b GDPR. If we process personal data of the customer's employees, the legal
basis is a legitimate interest pursuant to Art. 6 (1) sentence 1 f GDPR. The
legitimate interest lies in the conduct of our business and that of the
customer. There is no conflicting interest of the data subject because, from
the point of view of our customer, we are already required to perform the data
processing in the context of the existing employment relationship with the data
subject (section 26 GDPR). Personal
data will be stored for this purpose for the term of the contract for the use
of the StepStone Recruiter Space.

Additionally, we use the data collected under
this section in anonymous form to produce statistics about the general behavior
of the customers of the Direct Search Database. This allows us to make the
services more customer-friendly. The legal basis is a legitimate interest
pursuant to Art. 6 (1) sentence 1 f GDPR. The legitimate interest lies in the
execution of our business activities.

3.3.4 Data processing when publishing advertisement products

If our customers publish advertising products
or company portraits on our Platform, we process personal data of the customer
where the customer is a natural person. If our customer specifies an employee’s
contact data in an advertisement product, we process this employee’s personal
data to provide the relevant data to our users as part of the advertisement on
our Platform and to ensure that the advertisement can be found via the search
functionality on our Platforms. To increase the reach of the advertisement by
submitting it to our co-operation partners, we may, in whole or in part, submit
the advertisement content to our co-operation partners who provide the
advertisement or a preview on their web site. If the customer is a natural
person, the legal basis is that the processing is necessary for the performance
of a contract pursuant to Art. 6 (1) sentence 1 b GDPR. If the advertisement
contains contact details of employees of the customer, the legal basis is a
legitimate interest pursuant to Art. 6 (1) sentence 1 f GDPR. The legitimate
interest lies in the conduct of our business and that of the customer. There is
no conflicting interest of the data subject because, from the point of view of
our customer, we are required to perform the processing in the context of the
existing employment relationship with the data subject (section 26 GDPR). We will store the data for this purpose
for the contractual term during which the job advertisement is available on our
Platforms.

If you place an online order on our
website, we will collect various information required for the performance of
the contract. The legal basis for the processing is Art. 6 (1) sentence 1 b
GDPR. The data is stored for the duration of the contract as per above clause 3.3.1. For the handling of payments we use BS PayOne GmbH, Lyoner Straße 9,
D-60528 Frankfurt/Main, Germany. PayOne is therefore a recipient of the
personal data collected in connection with the payment. The legal basis for the
use of PayOne GmbH is the fulfillment of the contract as per Art. 6 (1)
sentence 1 b GDPR. The personal data is stored for the duration for the
handling of the payment.

3.3.6Data processing for general
marketing purposes

We process personal data about our customers as
well as other companies and companies that are not in a business relationship
with us and in this context, if necessary, also from the respective contact
persons for the purpose of direct marketing, as far as legally permitted. If we
did not collect this data directly from the respective data subject, we may
also collect contact data about the data subject from publicly available
sources, in particular the website of the respective company, classified directories,
or advertisements of the respective business. In connection with these direct
marketing purposes, we can also process information about the previous
contracts of our customers and specifics about the business such as industry or
size of the business in order to make the advertising as appropriate as
possible. The legal basis is a legitimate interest in accordance with Art. 6
(1) sentence 1 f GDPR. The legitimate interest lies in the processing of
personal data for the purpose of direct advertising itself (see recital 47
GDPR). The data subjects have the right to object at any time to the processing
of personal data concerning them for the purpose of such advertising. You
object at any time under the contact details set out in clause 1; in the case of advertising by
e-mail, you will also find an opt-out link directly in the respective e-mail.
We will store personal data for this purpose as long as we are still interested
in entering into a contract with the respective business or until the business
objects.

3.3.7 StepStone webinars

When you register for a StepStone webinar, we
collect certain information to enable you to participate in the webinar. The
legal basis here is your consent in accordance with Art. 6 (1) sentence 1 a
GDPR. We will store the data for this purpose until the webinar has taken
place. We use LogMeIn, Inc., 333 Summer Street, Boston, MA 02210 USA to collect
the registration data and provide the webinar as a data processor, and this
party will be a recipient of your personal data in this context. Data will be
transferred to the USA, i.e. into a country outside of the EU or the EEA. The
transfer is permitted under Art. 45 GDPR as LogMeIn, Inc., is Privacy Shield
certified and thus an adequate level of protection exists according to the
Implementing Decision of the Commission (EU) 2016/1250
(http://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016D1250&from=DE).
The Privacy Shield notice can be accessed at https://www.logmeininc.com/de/legal/privacy-shield. Additionally, we have entered into
the standard contractual clauses which are available at https://logmeincdn.azureedge.net/legal/20170201/DPA/LMIDataProcessingAddendum2017.v1SAMPLE.pdf as a sample, so that a transfer is
also permitted under Art. 46 (2) (c) GDPR.

We will also use the information you input to
provide you with marketing as described in section 3.3.5, which is included herein by
reference.

3.3.8 Zendesk - Support Tool

We use a tool provided by Zendesk Inc. 1019 Market Street,
6th Floor

San Francisco, California 94103, to process customer
inquiries. Information such as last name, first name, postal address, telephone
number, and email address is recorded on our website in order to answer your
questions.

For more information about Zendesk’s data processing, see
Zendesk’s Privacy Policy at http://www.zendesk.com/company/privacy.

If you contact us by email or via a form, we use the personal
data you provide exclusively for processing the specific request. The data and
the history of the service request are stored for follow-up questions and
subsequent contact.

Data will be transferred to the USA, i.e. into
a country outside of the EU or the EEA. The transfer is permitted under Art. 45
GDPR as Zendesk Inc., is Privacy Shield certified and thus an adequate level of
protection exists according to the Implementing Decision of the Commission (EU)
2016/1250
(http://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016D1250&from=DE).
The Privacy Shield certificate can be accessed at https://www.privacyshield.gov/participant?id=a2zt0000000TOjeAAG&status=ActiveAdditionally, we have entered into
the standard contractual clauses which are available at http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087 as a sample, so that a transfer is
also permitted under Art. 46 (2) (c) GDPR.

The ground of processing for the use of Zendek is legitimate
interest as per Art. 6 para 1 f GDRP. The legitimate interest is to provide you
with an easy to use customer support tool.

We use cookies on our websites. Cookies are
text files that are stored on a computer system via an Internet browser. We use
such cookies both as a technical means of providing services on our Platforms,
for enabling e.g. certain functions, as well as for analyzing the website
behavior of our visitors and on that basis developing a more user-friendly
design of our offerings. For this purpose, we can also use other techniques,
such as tracking pixels or code in apps. In addition, we may use these cookies
or other techniques to target you with interesting job advertisements and other
content.

Some of the cookies we use are deleted at the
end of the browser session, i.e. when you close your browser (known as session
cookies). Other cookies are kept on your end device and enable us or our
partner companies to recognize your browser on the next visit (persistent
cookies).

If not specifically stated below, you can view
the exact retention period of a given cookie by displaying the cookie in your
browser.

You can set your browser up such that you are
notified when a cookie is set and can decide individually whether to accept
them or whether you opt out of accepting cookies for specific cases or
generally. If you opt out of accepting cookies, the functionality of our website
may be limited. We deal with specific cookies or similar technology below.

We use
technical cookies. These are cookies that are merely required to collect
certain information on our Platforms to provide a service required or wanted by
you as user. This extends to navigation or session cookies that enable smooth
navigation and use of the website (and for instance permit access to the
restricted area); analysis cookies that are set directly by us to collect
aggregated information about the number of users and their behavior; functional
cookies that provide you with navigation by certain selected criteria as part
of a service optimization (e.g. selected language, purchase of selected
products).

The legal basis
for these cookies is a legitimate interest under Art. 6 (1) sentence 1 f GDPR,
namely pursuance of our business purposes.

4.2Cookies and technologies that we use
via third party providers

We also use
cookies or other technology provided to us by external providers in various
areas. In the following, we inform you about the respective providers and how
you can object to the cookie or the corresponding technology. In general, in
the case of websites, you can make an appropriate setting in your browser and
in case of our apps you can make the respective setting with the slider for
anonymous statistics under "Settings".

4.2.1Criteo

On our website we use services by Criteo SA, 32
Rue Blanche, 75009 Paris in the framework of our common responsibility as
defined under Art. 26 GDPR.

The purpose of the processing is retargeting,
which means that when you have viewed certain offers on the website, we may
show you advertising for similar offers from us on websites or other
third-party platforms. We designate the scope of the respective advertising
campaign in line with the contract with Criteo. The implementation of this
advertising campaign, including the decision on which advertisements are
delivered where is then the responsibility of Criteo. To that end a code from
Criteo is executed on our pages directly by Criteo and what are known as
(re)marketing tags (invisible graphics or code, also known as web beacons) are
integrated into the website. These are used to store an individual cookie, i.e.
a small file on your device (comparable technologies may also be used instead
of cookies). This file records which websites the user locates, the content he or
she is interested in and which offers he or she has clicked. It also stores
technical information on the browser and operating system, referring websites,
time of visit and other information on the use of the online offering. Criteo
may also combine the above information with information from other sources. If
the user subsequently visits other websites, tailored advertisements can be
displayed depending on his or her interests.

On our web pages we use the services of
TRACKUITY bvba, registered office at Ridderstraat 15A, 9000 Gent, Belgium

The purpose of the processing is retargeting,
that is, if you have viewed certain offers on our websites, we may display
advertisements on similar websites for you on websites or other third-party
platforms. For this purpose, individual cookies are stored through our website by
Trackuity on your device. Trackuity uses only anonymized data, personal data is
not stored.

For more information, as well as about opting
out to tracking through Trackuity, see: https://www.trackuity.com/opt-out

Our websites use web and security analysis
techniques from Akamai Technologies, Inc. (“Akamai”). These techniques use
cookies, text files and beacons that are stored on your computer and that
enable Akamai (i) to perform security analyses and thus prevent unauthorized
access to our websites and (ii) to analyze the use of the websites by you. The
information generated by the cookies or beacons about the access to our
websites, including your IP address and other data from log files, is
transferred to Akamai's servers, some of which are located in the USA, where it
is stored and processed. This is permissible under Art. 45 GDPR because Akamai
is Privacy Shield certified and thus an adequate level of protection exists
according to the Implementing Decision of the Commission (EU) 2016/1250
(http://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016D1250&from=DE).
The certification can be viewed at
https://www.privacyshield.gov/participant?id=a2zt0000000Gn4RAAS&status=Active.

Akamai will use this information to prevent
unauthorized access to the websites, to produce reports about website activity
for us, to perform further services associated with the website use and
Internet use, and to analyze your use of our websites. Akamai may also pass
this data to third parties if Akamai is required to do so by law or if these
third parties are processing this data on behalf of Akamai. Akamai will not use
the data to identify natural persons. You can prevent the storage of cookies or
beacons by making a corresponding setting in your browser software; however,
note that if you do so you may not be able to use the full functionality of
this website. You can view the precise storage duration of the cookies for
yourself by accessing this information via your respective browser.

The legal basis is a legitimate interest under
Art. 6 (1) sentence 1 f GDPR, namely pursuance of our business purposes and the
protection of our websites.

4.2.4 Hotjar

We use Hotjar, a web analytics service of
Hotjar Ltd, Level 2, St Julian's Business Center, 3, Elia Zammit Street, St
Julian's STJ 1000, Malta ("Hotjar") in order to better understand our
users’ needs and to optimize this service and experience. Hotjar is a
technology service that helps us better understand our users experience (e.g.
how much time they spend on which pages, which links they choose to click, what
users do and don’t like, etc.) and this enables us to build and maintain our
service with user feedback. Hotjar uses cookies and other technologies to
collect data on our users’ behavior and their devices (in particular device's
IP address (captured and stored only in anonymized form), device screen size,
device type (unique device identifiers), browser information, geographic
location (country only), preferred language used to display our website).
Hotjar stores this information in a pseudonymized user profile. Neither Hotjar
nor we will ever use this information to identify individual users or to match
it with further data on an individual user. For further details, please see
Hotjar’s privacy policy by clicking on https://www.hotjar.com/privacy.

You can opt-out from the creation of a user
profile, Hotjar’s storing of data about your usage of our site and Hotjar’s use
of tracking cookies on other websites by following this link
https://www.hotjar.com/opt-out.

We have a contract processing agreement with
Hotjar. The use of Hotjar is based based on a legitimate interest according to
Art. 6 para. 1 p. 1 f DSGVO. Our legitimate interest is the user-friendly
design of our websites.

4.2.5 AppSee

To analyze the usage of our apps, we use the
app analysis service AppSee of Shift 6 Ltd. Menorat Hamaor 3, Tel Aviv, Israel.

The user behavior within the apps is analyzed
in order to identify causes of errors and to constantly improve the user
experience. Only anonymous data is collected and stored, details of the stored
information can be found at
https://support.appsee.com/customer/en/portal/articles/2686233-what-types-of-data-does-appsee-capture.
A storage of personal data does not take place. To create the anonymized data,
your IP address may be processed by Shift 6 and its affiliate US company AppSee
Inc. Such processing can also take place in the US or Israel. A transfer of
personal data to Israel is allowed under the Adequacy Decision 2011/61 / EU
(https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32011D0061), as
Israel is therefore has a level of data protection that is adequate compared to
the EU’ and in the US Appsee Inc is certified under Privacy Shield, and thus in
accordance with Commission Implementing Decision (EU) 2016/1250
(http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/? uri = CELEX: 32016D1250
& from = DE) there is an adequate level of data protection. The
certification can be viewed at https://www.privacyshield.gov/participant?id=a2zt0000000TSUAAA4&status=Active

You will find further information about the
privacy of Appsee at: http://www.appsee.com/legal/privacypolicy.

The legal basis for the use of Appsee is a
legitimate interest under Art. 6 para. 1 sentence 1 f DSGVO. Our legitimate
interest is the user-friendly design of our offers.

You can object to the use of Appsee at any time
by changing the setting of the slider for anonymous statistics in the app under
"Settings".

4.2.6 Fabric Crashlytics

We use the Fabric Crashlytics service offered
by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland to
better address technical issues related to our mobile apps. Fabric Crashlytics
is an analytics service that collects technical information about the device
(such as the operating system and model) and app usage data, specifically
related to system crashes and errors. We use this information to collect data
on app usage specifically related to system crashes and errors, and to better
understand how our users use the app to improve the app. The information
collected is available only in anonymous form. A storage of personal data does
not take place. Google Ireland Limited may use Google Inc., 1600 Amphitheater
Parkway, Mountain View, CA 94043, as a subcontractor. Google Inc. is certified
under the Privacy Shield Agreement, which provides a guarantee to comply with
European privacy legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
Other subcontractors that Google can use can be found here:
https://fabric.io/terms/subprocessors.

For more information, see the Fabric
Crashlytics Terms of Use at: https://fabric.io/terms.

The legal basis for the use of Fabric
Craslytics is a legitimate interest under Art. 6 para. 1 sentence 1 f DSGVO.
Our legitimate interest is the user-friendly design of our apps.

You can opt out of using Fabric Crashlytics at
any time by changing the setting of the slider for anonymous statistics in the
app under "Settings".

4.2.7 Adjust

We also use the app analysis service Adjust
(adjust GmbH, Saarbruecker Str. 38a, 10405 Berlin) to analyze the usage of our
apps. The Adjust service has been tested and certified according to the
ePrivacyseal (European Privacy Seal) (see
https://www.eprivacy.eu/en/customers/awarded-seals/).

When using the app, Adjust collects
installation and usage data on our behalf. We use this anonymous information to
understand how our users interact with our app. Adjust uses your anonymized
IDFA or Android ID as well as your anonymized IP and MAC address. It is not
possible to identify you. A storage of personal data does not take place
accordingly.

For more information, see Adjust's Privacy
Policy: https://www.adjust.com/privacy-policy/.

The legal basis for the data analysis and use
of Adjust is a legitimate interest (ie interest in the analysis, optimization
and economic operation of our apps) in the sense of Art. 6 (1) (f) GDPR for the
purposes of our own Market research, advertising purposes and the optimization
and user friendly design of the apps. There is no apparent conflicting
interest, especially since we have concluded a data processing agreement with
Adjust.

You can opt out of using Adjust at any time by
changing the setting of the slider for anonymous statistics in the app under "Settings”.

Firebase Analytics enables the analysis of the
use of our apps. This completely aonymized information about the use of our app
is collected and transmitted to Google and stored there. Google uses the
advertising ID of the device. Google will use this information to evaluate the
use of our app and to provide us with other services related to the use of
apps. In Device Settings, you can restrict the use of the Advertising ID (iOS:
Privacy / Advertising / No Ad Tracking, Android: Account / Google / View).
Google Analytics for Firebase (Google Inc.). We also use Firebase Remote Config,
which allows us to run A / B tests and customize the behavior and appearance of
the app without having to download a new version. Personal data is not stored.

Google Inc. is certified under the Privacy
Shield Agreement, which provides a guarantee to comply with European privacy
legislation
(https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Subcontractors that Google can use can be found here:
https://firebase.google.com/terms/subprocessors.

The legal basis for the use of data analysis
and the use of Firebase is a legitimate interest (ie interest in the analysis,
optimization and economic operation of our apps) within the meaning of Art. 6
(1) (f) GDPR).

You can opt-out of using Firebase at any time
by changing the setting of the slider for anonymous statistics in the app under
"Settings”.

4.2.9Adform

For the purposes of online marketing
(specifically, bid optimization, audience extensiton, statistical analysis of location
data, visitor analysis and user behavior and delivery of advertisements), we
use services provided by Adform ApS, Hovedvagtsgade 6, 1103 Copenhagen K,
Denmark. Adform can use cookies in this context. Personal data will not be
stored, your IP address will be anonymised by Adform. You may object to the use
of Adform and its cookies at any time by following this link: https://site.adform.com/datenschutz-opt-out/.

Legal basis for the use of Adform is a
legitimate interest within the meaning of Art. 6 para. 1 f DSGVO. The legitimate
interest lies in making our services user-friendly and addressing potential
customers in a target group-oriented manner.

4.2.10 Facebook Pixel

The “Facebook Pixel” from the social network
Facebook, 1601 South California Avenue, Palo Alto, CA 94304, USA, is used
within our website. This means that what are termed tracking pixels are
integrated into our pages. When you visit our pages, the tracking pixel creates
a direct link between your browser and the Facebook server.

This provides Facebook with the information
from your browser for instance that our page was accessed by your device. If
you are a Facebook user, Facebook can allocate the visit to our pages to your
user account. Please note that as the provider of the pages we are not informed
about the content of the data transferred or its use by Facebook. We can merely
choose which segments of Facebook users (age, interests) our advertising is to
be shown to.

By accessing the pixel on your browser,
Facebook can also identify whether displaying an advertisement on Facebook was
successful, e.g. if it resulted in an online sale being completed. This enables
us to record the effectiveness of Facebook advertisements for statistical and
market-research purposes.

Please click here if you wish to opt out of
data recording via Facebook Pixel:
https://www.facebook.com/settings?tab=advertisements#_=_. Alternatively, you
can deactivate the Facebook Pixel on the Digital Advertising Alliance page via
the following link: http://www.aboutads.info/choices/.

Transfer of data to the USA is permissible
under Art. 45 GDPR because Facebook is Privacy Shield certified and thus an
adequate level of protection exists according to the Implementing Decision of
the Commission (EU) 2016/1250 (http://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016D1250&from=DE).
The certification can be viewed at
https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.

The legal basis is a legitimate interest under
Art. 6 (1) sentence 1 f GDPR, namely pursuance of our business purposes and the
targeted marketing of our services.

4.2.11 Google Remarketing

Our websites use the remarketing or “similar
audiences” function from Google Inc. (“Google”). This enables us to target the
visitors to our websites with advertising by displaying personalized,
interest-driven advertisements to the users of the website when they visit
other websites in the Google Display network. Google uses cookies to perform
the analysis of the website use, on the basis of which the interest-driven
advertisements are generated. No personal data of the website visitors is
stored. If you then visit another website in the Google Display network, you
will be shown advertisements that are highly likely to relate to product and
information areas you have previously accessed.

You can permanently deactivate the use of
cookies by Google by clicking the following link and downloading and installing
the plug-in provided there:
https://www.google.com/settings/advertisements/plugin. Alternatively, you can
deactivate the use of cookies from third-party providers by accessing the
deactivation page of the Network Advertising Initiative at
http://www.networkadvertising.org/choices/ and the implementing the additional
information about opting out as set out there. For further information on
Google Remarketing and Google's Privacy Statement, click: http://www.google.com/privacy/advertisements/.

The legal basis is a legitimate interest under
Art. 6 (1) sentence 1 f GDPR, namely pursuance of our business purposes and the
targeted marketing of our services.

Google is certified under the Privacy Shield
Agreement and thus warrants that it complies with European privacy legislation
(https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

The Google Marketing Services enable us to
display advertisements for and on our website in a more targeted manner to so
that users are only shown advertisements that they may be interested in. If a
user sees e.g. advertisements for products that he or she was interested in on
other websites, this is referred to as “remarketing”. For this purpose, when our
websites and other websites are accessed on which Google Marketing Services are
active, Google directly executes a Google code and what are termed
(re)marketing tags (invisible graphics or code, also known as “web beacons”)
are integrated into the website. These are used to store an individual cookie,
i.e. a small file on the user’s device (comparable technologies may also be
used instead of cookies). The cookies may be set by various domains, including
google.com, doubleclick.net, invitemedia.com, admeld.com,
googlesyndication.com, or googleadservices.com. This file records which
websites the user searches for, the content he or she is interested in and
which offers he or she has clicked. It also stores technical information on the
browser and operating system, referring websites, time of visit, and other
information on the use of the online offering. Similarly, the user’s IP address
is recorded, whereby in the context of Google Analytics we state that the IP
address is shortened in within Member States of the European Union or in other
signatory states of the Agreement on the European Economic Area. Only in
exceptional cases is it transferred in full to a Google server in the USA and
shortened there. The IP address is not merged with the user’s data within other
Google offerings. Google may also combine the above information with
information from other sources. If the user subsequently visits other websites,
tailored advertisements can be displayed depending on his or her interests.

The user’s data is processed in a pseudonimyzed
form as part of the Google Marketing Services. This means that Google stores
and processes e.g. not the user’s name or e-mail address, but instead processes
the relevant data based on the cookie within pseudonymized user profiles. This
means that, from Google’s perspective, the advertisements are not managed and
displayed for a specifically identifiable person, but for the holder of the
cookie, irrespective of who the holder of this cookie is. This does not apply
if a user has expressly permitted Google to process the data without this
pseudonymization. The information about the user collected by Google Marketing
Services is transferred to Google and stored on Google’s servers in the USA.

The Google Marketing Services deployed by us
include the “Google AdWords” online advertising program. Google AdWords
supplies every AdWords customer with a different “conversion cookie”. This
means that cookies cannot be traced via the websites of AdWords customers. The
information obtained using the cookie enables conversion statistics for AdWords
customers to be produced who have opted for conversion tracking. The AdWords
customers are notified of the total number of users who clicked their
advertisement and were forwarded to a page containing a conversion tracking
tag. However, they are not given any information that could be used to
personally identify users.

We may involve third parties on the basis of
the “DoubleClick” Google marketing services. DoubleClick uses cookies that
enable Google and its partner websites to place advertisements on the basis of
users’ visits to this website and other websites on the Internet.

Additionally, we may deploy the “Google Tag
Manager” to integrate and manage the Google analytics and marketing service
within our website.

For further information on data usage for
marketing purposes by Google, refer to the overview page:
https://www.google.com/policies/technologies/advertisements; Google’s privacy
policy can be accessed at https://www.google.com/policies/privacy.

If you would like to opt out of interest-driven
advertising from Google Marketing Services, you can use the settings and
opt-out options provided by Google:
http://www.google.com/advertisements/preferences.

4.2.13 Optimizely

Our websites use Optimizely, a web-analytics
service from Optimizely Inc. (631 Howard Street, Suite 100, San Francisco, CA
94105, United States) for the simplification and performance of A/B tests to
further develop this website. The information generated by a cookie about your
use of the website is usually transferred to one of Optimizely’s servers in the
USA and stored there. The cookie generated by Optimizely has a term of ten
years.

Transfer of data to the USA is permissible
under Art. 45 GDPR because Optimizely is Privacy Shield certified and thus an
adequate level of protection exists according to the Implementing Decision of
the Commission (EU) 2016/1250
(http://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016D1250&from=DE).
The certification can be viewed at https://www.privacyshield.gov/participant?id=a2zt0000000TNkWAAW&status=Active
.

Your opt-out option: You can deactivate
tracking by Optimizely at any time by following the instructions at
https://www.optimizely.com/opt_out.

We use the “Tealium Audience Stream”, a service
by Tealium Inc., 11085 Torreyana Road, San Diego, CA 92121, USA (Tealium)
within our website. This collects and stores data that we use to create
pseudonymized user profiles. On our behalf, Tealium will use this information
to structure your use of the website in line with your needs automatically and
in real time and to display advertising. For this purpose, information
including the following is collected: viewed and clicked advertisements,
articles, advertising, visitor numbers, subject matter of the page, etc.

The pseudonymized user profiles are not merged
with personal data about the bearer of the pseudonym without consent, which
must be provided separately. Similarly, the IP address transmitted by your
browser is not merged with the usage profiles.

Cookies are used is used to create the usage
profiles, or similar technology for mobile end devices. The information
generated by the cookie about your use of this website is stored exclusively in
Germany. You can prevent the storage of the cookies by making a corresponding
setting in your browser software; however, please note that if you do so you
may not be able to use all functions of this website fully.

You may opt out of the data collection and
storage for the purposes of web analysis and the placement of advertisements
with future effect by following the instructions on
http://tealium.com/de/privacy/.

This website uses a Tag Management System
(TMS), a service from Tealium Inc., 11085 Torreyana Road, San Diego, CA 92121,
USA (Tealium), for the dynamic customization of parts of the website. To enable
this functionality, a cookie called utag_main is set. The TMS is needed for us
to provide our services and can therefore not be deactivated. The cookie has a
term of twelve months.

Data transferred to Tealium is transferred to
the USA and thus to a country outside the EU and the EEA. This is permissible
under Art. 45 GDPR because Tealium is Privacy Shield certified and thus an
adequate level of protection exists according to the Implementing Decision of
the Commission (EU) 2016/1250
(http://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016D1250&from=DE).
The certification can be viewed at https://www.privacyshield.gov/participant?id=a2zt0000000TSaYAAW&status=Active.

We use Adobe Analytics, a web-analytics tool
from Adobe Systems Software Ireland Limited, that enables us to optimize our
services in line with your requirements.

Adobe Analytics
uses cookies that are stored on your computer and enable an analysis of your
use of the website. The information generated by the cookie about your use of
this website (including your IP address) is transferred to servers of the
service in Ireland where it is anonymized. It is then transferred to servers in
the USA for further processing, where it is stored. Adobe uses this information
to evaluate your use of the website to compile reports on website activities
for the website operators and to provide further services connected with the
use of the website and the Internet.

No personal data
is stored because of the anonymization.

As a user of our websites you of course have
the option to block cookies at any time in your browser settings. You can opt
out of any future recording of your user behavior on the Platform at any time;
click the following link for instructions on how to deactivate cookies on your
computer: https://www.adobe.com/privacy/opt-out.html.

The legal basis for processing this data is a
legitimate interest under Art. 6 (1) (f) GDPR. The legitimate interest as
defined by Art. 6 (1) (f) GDPR that we are pursuing by processing the data
described above is our interest in structuring our offerings in a user- and
demand-driven manner. No conflicting interest is apparent, especially because
you may opt out at any time.

4.2.17 ScoreCard Research Beacon

Our websites use ScorecardResearch Beacon, a
service by Full Circle Studies, Inc., 11950 Democracy Drive, Reston, VA 20190,
USA. Among other things, ScorecardResearch Beacon uses cookies that are saved
on your computer and enable an analysis of your use of the website. During use,
data such as in particular the IP address and users’ activities may be
transmitted to a server of Full Circle Studies, Inc. and stored there. Full
Circle Studies, Inc. may transfer this information to third parties to the
extent that this is prescribed by law or where third parties process the data.
You may prevent the collection and forwarding of personal data (in particular
your IP address) and the processing of the data by deactivating JavaScript in
your browser or installing a tool such as NoScript (www.noscript.net). You can
find further information on data protection when using ScorecardResearch Beacon
under the following link: http://www.fullcirclestudies.com/privacy.aspx. You can access an opt-out option under the
following link: http://www.scorecardresearch.com/optout.aspx.

You IP address is transferred to the USA and thus to a country outside the EU
and the EEA. This is permissible under Art. 45 GDPR because Tealium is Privacy
Shield certified and thus an adequate level of protection exists according to
the Implementing Decision of the Commission (EU) 2016/1250
(http://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016D1250&from=DE).
The certification can be viewed at https://www.privacyshield.gov/participant?id=a2zt0000000PC0qAAG&contact=true.

The legal basis for processing this data is a
legitimate interest under Art. 6 (1) (f) GDPR. The legitimate interest as
defined by Art. 6 (1) (f) GDPR that we are pursuing by processing the data
described above is our interest in structuring our offerings in a user- and
demand-driven manner. No conflicting interest is apparent, especially because
you may opt out at any time.

4.2.18 Lead Forensics

For the purposes of marketing and optimization,
the products and services of the company LeadForensics (http://www.leadforensics.com)
are used in the B2B area of our websites. The head office of LeadForensics is
located at Communication House 26 York Street, London, W1U 6PZ United Kingdom.
Lead Forensics identifies details of your organization including phone number, web
address, SIC code, a description of the company. In the process, Lead Forensics
shows the actual course of your visit to this website, including all the pages
that you visited and viewed and how long you spent on this page. Under no
circumstances will the data be used to personally identify an individual
visitor. A storage of personal data does not take place. As far as IP addresses
are collected, these will be anonymized immediately after collection. On behalf
of us, Lead Forensics will use the information collected to evaluate your visit
to the website, to compile reports on website activity and to provide other
services related to website activity and internet usage to us. If you do not
agree, you can object to the collection, processing and storage of data at any
time with a view to the future by clicking on the following link:
http://lfwebproxy.westeurope.cloudapp.azure.com:5000/?clientID= 99483

Legal basis is a legitimate interest within the
meaning of Art. 6 para. 1 f DSGVO. The legitimate interest lies in the fact
that we want to tailor our services to the target group and to pursue target
group-oriented marketing.

4.2.19 Use of the SalesViewer® technology

On our websites the SalesViewer® technology from SalesViewer® GmbH, Nikolaistr. 2 44866 Bochum is used to collect and store data for marketing, market research and optimization purposes in the course of data processing.

A javascript-based code is used to collect business-related data and use. The data collected withthis technology is encrypted via a one-way hashing. The data is immediately pseudonymised and not used to personally identify the visitor.

Data collection and storage can be objected to at any time with effect for the future, by clicking on this link HERE http://www.salesviewer.com/opt-out in order to prevent the collection by SalesViewer® within this website in the future. An opt-out cookie for this website is then stored on your device. If you delete your cookies in this browser, you must click this link again.

SalesViewer® uses the subcontractor Hetzer Online GmbH, Industriestr. 25, 91710, Gunzenhausen for server hosting (Infrastructure SalesViewer®) and Host Europe GmbH, Welserstraße 14, 51149 Cologne for the provision of the DNS server for SalesViewer®.The legal basis is a legitimate interest under Art. 6 (1) sentence 1 f GDPR, namely pursuance of our business purposes for the demand-driven structuring of our offerings. No conflicting interest is apparent, especially because you may opt out at any time and no personal data is stored.

5. Recipients or categories of recipients of personal data

We use data processors as specified above for the respective processing purposes (in particular, „StepStone Surveys„, “ hosting and securing our platforms, administrative, troubleshooting, and support services“ and „Cookies and technologies that we use via third party providers„). These can therefore, as described there, be the recipient of personal data.
Additionally, we may also provide or provide information to third parties under your consent or any agreement you have with us, as described above (in particular under „Application Form„, under „MyStepStone Account“ for a profile made available to you by potential employers and under „Data processing when publishing advertisement products“ in relation to business customers and their employees) so that these can be recipients as described.

6. Transfers of data to countries outside the EU or the EEA

In certain cases, we may transfer personal information to a country outside the EU or the EEA (so-called third countries). Essentially, this can be the case if you are applying for a job and the recruiter is based in a third country. More details can be found above under „Application form“ or „MyStepStone Account„. Furthermore, we use data processors or, within the scope of a legitimate interest, service providers that process data in some cases in third countries. For details, see „Sending of Emails and Other Messages,“ „Proxy Caching and Web Application Firewall„, „Google Re-Captcha“ „Youtube Videos„, „StepStone Webinars“ and „Cookies and technologies that we use via third party providers„.

7. Rights of the data subject

If your personal data is processed, you are a
data subject within the meaning of the GDPR and you have the following rights
vis-à-vis the data controller:

7.1 Right of access

You may request confirmation from us as to
whether we process personal data relating you.

If such processing is taking place, you can
request the following information from us:

(1)the
purposes for which the personal data is being processed;

(2)the
categories of personal data that are being processed;

(3)the
recipient or categories of recipient to whom the personal data concerning you
has been or will be disclosed;

(4)the
envisaged period for which the personal data concerning you will be stored or,
if no concrete information about this is possible, criteria used to determine
that period;

(5)the
existence of a right to rectification or erasure of the personal data
concerning you, a right restrict the processing of the data by the controller
or a right to object to this processing;

(6)the
existence of a right to lodge a complaint with a supervisory authority;

(7)any
available information about the origin of the data if the personal data was not
collected from the data subject;

(8)the
existence automated decision-making including profiling in accordance with Art.
22 (1) and (4) GDPR and – at least in these cases – meaningful information
about the logic involved and the scope and the intended effects of such
processing for the data subject.

You have the right to request information about
whether the personal data in question will be transferred to a third country or
an international organization. In this context you can ask to be notified of
the suitable safeguards in accordance with Art. 46 GDPR in the context of the
transfer.

This right to information may be limited if it
is likely to render impossible or seriously impair the achievements of the
statistical purposes and the limitation is necessary for satisfying the
statistical purposes.

You have the right to receive a copy of the personal data undergoing the processing. For any further copy you request, we may charge a reasonable fee based on administrative costs. If the application is submitted electronically, the information must be provided in a standard electronic format, unless otherwise specified.
The right to receive the copy must not affect the rights and freedoms of others.

7.2 Right to rectification

You have a right to rectification and/or
completion vis-à-vis the data controller if the personal data concerning you
that is being processed is incorrect or incomplete. The data controller must
perform the rectification without undue delay.

Your right to rectification may be limited if
it is likely to render impossible or seriously impair the achievements of the
statistical purposes and the limitation is necessary for satisfying the
statistical purposes.

7.3 Right to restriction of processing

If the following conditions are met, you can
demand that the processing of the personal data concerning you is restricted:

(1)if
you contest the accuracy of the personal data relating to you for a duration that
enables us to review the accuracy of the personal data;

(2)if the
processing is unlawful and you oppose the erasure of the personal data and
instead request a restriction of the use of the personal data;

(3)if we
no longer require the personal data for the purposes of the processing, but you
need it to establish, exercise, or defend legal claims, or

(4)if
you have objected to the processing in accordance with Art. 21 (1) GDPR and it
has not yet been verified whether our legitimate reasons override yours.

If the processing of the personal data
concerning you has been limited, this data – with the exception of being stored
by you – may only be processed with your consent or for the purpose of
establishing, exercising, or defending legal claims or to protect the rights of
another natural or legal or on grounds of a compelling public interest of the
EU or a Member State.

If a restriction of processing has been imposed
in accordance with the above conditions, we will notify you before the
restriction is lifted.

Your right to restrict processing may be
limited if it is likely to render impossible or seriously impair the
achievements of the statistical purposes and the limitation is necessary for
satisfying the statistical purposes.

7.4 Right to erasure

7.4.1 Erasure obligation

You may request that we erase the personal data
concerning you without undue delay, and we are obliged to erase this data
without undue delay where one of the following grounds applies:

(1)The
personal data concerning you is no longer needed for the purposes for which it
was collected or otherwise processed.

(2)You
withdraw your consent upon which the processing was based pursuant to Art. 6
(1) (a) or Art. 9 (2) (a) GDPR, and no other legal ground for the processing
applies.

(3)You
object to the processing in accordance with Art. 21 (1) GDPR and no overriding
legitimate grounds for the processing apply, or you raise an objection to the
processing under Art. 21 (2) GDPR.

(4)The
personal data concerning you has been processed unlawfully.

(5)The
erasure of the personal data concerning you is required in order to comply with
a legal obligation under EU law or the law of the Member States to which we are
subject.

(6)The
personal data concerning you is collected in the context of information society
services pursuant to Art. 8 (1 ).

7.4.2 Information to third parties

If we have published the personal data
concerning you and we are obliged to delete it under Art. 17 (1) GDPR, we will
take reasonable steps (including in terms of technical feasibility), taking
account of the available technology and implementation costs, in order to
notify the responsible data controller who is processing the data that you as a
data subject have requested from them the erasure of all links to this personal
data or copies or replications of this personal data.

7.4.3 Exceptions

There is no right to erasure if the processing
is necessary

(1)for
the exercise of the right to the freedom of expression and information;

(2)to
satisfy a legal obligation that requires the data to be processed under the law
of the EU or the Member States to which the data controller is subject, or to
perform a task that is carried out in the public interest or in the exercise of
official authority vested in the data controller;

(3)on
grounds of the public interest in the area of public health in accordance with
Art. 9 (2) (h) and (i) as well as Art. 9 (3) GDPR;

(4)for
archiving purposes in the public interest, academic or historical research
purposes or statistical purposes pursuant to Art. 89 (1) GDPR, provided the
right specified under section a) is likely to render impossible or seriously
impair the achievements of the objectives of this processing or

(5)to
establish, exercise, or defend legal claims.

7.5 Right to data portability

You have the right to the receive the personal
data concerning you that you have provided to us in structured, commonly used,
and machine-readable format. Further, you have the right to transmit this data
to a different data controller without hindrance from us, provided

(1)the
data processing is based on consent under Art. 6 (1) (a) GDPR or Art. 9 (2) (a)
GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR and

(2)the
processing is being performed using automated means.

Further, in exercising this right you also have
the right to have the personal data concerning you transferred directly from
one data controller to another data controller, where technically feasible.
This must not adversely affect other people’s rights and freedoms.

The right to data portability does not apply to
the processing of personal data that is required for a task that is performed
in the public interest or the exercise of official authority vested in us.

7.6 Right to object

You have the right to object, on grounds
relating to your specific situation to object, at any time to the processing of
the personal data concerning you which is based on Art. 6 (1) (e) or (f) GDPR;
this also applies to any profiling based on those provisions.

In this case we will stop processing the
personal data concerning you unless we can provide compelling and legitimate
grounds for the processing that override your interests, rights and freedoms,
or the data is being processed for the purpose of establishing, exercising, or
defending legal claims.

If the personal data concerning you is being
processed for the purpose of conducting direct marketing, you have the right to
object at any time to the processing of the personal data concerning you for
such marketing; this also applies to any profiling connected to such direct
marketing.

If you object to the data processing for the
purposes of direct advertising, the personal data concerning you will no longer
be processed for these purposes.

In the context of the use of information
society services and Directive 2002/58/EC notwithstanding, you may exercise
your right to object using automated means using technical specifications.

Where personal data is processed for
statistical purposes pursuant to Art. 89 (1) GDPR, you, on grounds relating to
your specific situation, have the right to object to personal data concerning
your being processed.

Your right to object may be limited if it is
likely to render impossible or seriously impair the achievements of the statistical
purposes and the limitation is necessary for satisfying statistical purposes.

7.7 Right to withdraw the declaration of consent under data-processing law

You have the right to withdraw your declaration
of consent under data-processing law at any time. Withdrawing the consent has
no bearing on the lawfulness of any processing performed up to the point of the
revocation.

7.8 Automated decision in individual cases including profiling

You have the right not to be subject to a
decision that is based solely on automated processing – including profiling –
that produces legal effects on you or is similarly significantly affects you.
This does not apply if the decision

(1)is
necessary for the entering into or performing a contract between you and the
data controller,

(2)is
authorized under legal provisions of the EU or the Member States to which the
data controller is subject and these legal provisions contain adequate measures
for safeguarding your rights and freedoms as well as your legitimate interests
or

(3)is
made with your explicit consent.

However, these decisions must not be based on
special categories of personal data pursuant to Art. 9 (1) GDPR, unless Art. 9
(2) (a) or (g) applies and adequate safeguards to protect the rights and
freedoms as well as your legitimate interests are in place.

As regards the cases stated in (1) and (3), we
take adequate measures to your rights and freedoms as well as your legitimate
interests, which include at least the right to have a person intervene on the
data controller’s side, to present your own point of view, and to challenge a
decision.

7.9 Right to lodge a complaint with a supervisory authority

Notwithstanding any other administrative or
judicial legal remedy, you have the right to lodge a complaint with a
supervisory authority in the Member State of your place of residence, your
workplace, or the place of the alleged breach if you are of the opinion that
the processing of the personal data concerning you breaches the GDPR.

The supervisory body to which the complaint was
submitted will notify the complainant of the status and outcomes of the
complaint including the option of a judicial remedy under Art. 78 GDPR. Responsible supervisory authority is the Data Protection Authority https://www.dataprotectionauthority.be/

8Is there an obligation to provide personal information?

If you want to create a job agent or a MyStepStone account or if you would like to use our services as a business customer, you have to provide certain data within the scope of the contract to be concluded. We will specify such data. In any other context, the provision of personal data is neither required by law nor by contract, nor are you required to provide personal information. However, the provision of personal data for the use of our services may also be partially required within the services we provide. In other words, if you do not provide us with the information we specify to be necessary, we may not be able to provide you with the full scope of services.

9Amendment of the Privacy Statement; amendment of purpose

We reserve the right to amend this Privacy Statement in consideration of stipulations under data-protection law.
You will always be able to locate the current version here or another
corresponding, easily locatable point of our website or app. If we are intending to process your data for other purposes, i.e.
those for which it was collected, we will notify you about this in advance in
compliance with the statutory provisions.